Journey to the Virtual World

Monitoring changes to VMware vSphere Template

Template is a common features used by many VMware Administrators. There are articles such as this on how to manage the version. So I will cover something that I could not find in google, which is how you prove to auditor that your templates have not been modified by unauthorised person. If a template has been modified, you want to know who did it.

The good thing is there are only a few things you can change to a template. The bulk of the changes require the template to be converted into a VM. The changes you can make to the templates are shown below:

You can see that you can rename the template, change the permission, and convert it into a VM. All these are tracked in vCenter. This means a log analysis tool can visualise it better for you.

Let’s see who rename it. Perform a text search on templateand renamed. You can see an example below.

As most changes on template require the conversion into a VM, let’s see who converted a template into a VM, and vice versa. Log Insight already has a field for it, so it’s a matter of specifying it. Choose the field, and specify that it should contain mark*

In the above, I only have 1 template that I changed. You can see that it captures information such as who did it, what time, to what template and in which cluster.

If you want to see only the changes to VM, you can filter the field further, as shown below.

Hope you find it useful in entertaining, I mean assuring, your auditor team.